valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
efd3af0812
SigmaHQ/rules/windows/builtin/win_impacket_secretdump.yml

23 lines
724 B
YAML
Raw Normal View History

Create win_impacket_secretdump.yml
2019-04-03 13:18:42 +00:00
title: Possible Impacket SecretDump remote activity
Added UUIDs to rules
2019-11-12 22:12:27 +00:00
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
Create win_impacket_secretdump.yml
2019-04-03 13:18:42 +00:00
description: Detect AD credential dumping using impacket secretdump HKTL
author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
- attack.credential_access
Update win_impacket_secretdump.yml
2019-04-03 19:49:30 +00:00
- attack.t1003
Create win_impacket_secretdump.yml
2019-04-03 13:18:42 +00:00
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: \\*\ADMIN$
Fixed wrong backslash escaping of * Fixes issue #466
2019-10-07 20:09:53 +00:00
RelativeTargetName: 'SYSTEM32\\*.tmp'
Create win_impacket_secretdump.yml
2019-04-03 13:18:42 +00:00
condition: selection
falsepositives:
- pentesting
level: high
Reference in New Issue Copy Permalink